Beruflich Dokumente
Kultur Dokumente
John Mitchell
Monolithic design
Network User input File system Network
System
John Mitchell
Monolithic design
Network User input File system Network
System
John Mitchell
Monolithic design
Network User input File system Network
System
John Mitchell
Component design
Network User input Network User display
File system
File system
John Mitchell
Component design
Network User input Network User device
File system
File system
John Mitchell
Component design
Network User input Network User device
File system
File system
John Mitchell
Qmail design
Isolation based on OS isolation Separate modules run as separate users Each user only has access to specific resources Least privilege Only one setuid program setuid allows a program to run as different users Only one root program root program has all privileges
John Mitchell
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
qmail-lspawn
qmail-remote
qmail-local
John Mitchell
qmail-inject
user
qmails
root
qmailr qmail-remote
user
John Mitchell
Structure of qmail
qmail-smtpd
Reads incoming mail directories Splits message into header, body Signals qmail-send
qmail-inject qmail-queue
qmail-remote
qmail-local
John Mitchell
Structure of qmail
qmail-smtpd qmail-queue qmail-send signals qmail-lspawn if local qmail-remote if remote qmail-rspawn qmail-inject
qmail-send qmail-lspawn
qmail-remote
qmail-local
John Mitchell
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
qmail-send qmail-lspawn
qmail-lspawn Spawns qmail-local qmail-local runs with ID of user receiving local mail
qmail-local
John Mitchell
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
qmail-send qmail-lspawn qmail-local Handles alias expansion Delivers local mail Calls qmail-queue if needed
qmail-local
John Mitchell
Structure of qmail
qmail-smtpd qmail-queue qmail-inject
qmail-send qmail-rspawn
qmail-remote
qmail-inject
user
setuid
qmails
root root
qmailr qmail-remote
user
John Mitchell
Least privilege
qmail-smtpd qmail-inject qmail-queue
setuid
root
qmail-remote
qmail-local
John Mitchell
Access control
Assumptions
System knows who the user is
Authentication via name and password, other credential
User process
Reference monitor
access request
?
policy
Resource
John Mitchell
[Lampson]
File n read -
User 3
read
read
User m
read
write
read
write
read
John Mitchell
Access control list (ACL) User 1 read Store column of matrix User 2 write with the resource User 3 Capability User holds a ticket for each resource User m Read Two variations store row of matrix with user, under OS control unforgeable ticket in user space
write
write
Access control lists are widely used, often with groups Some aspects of capability concept are used in many systems
John Mitchell
ACL vs Capabilities
Access control list Associate list with each object Check user/group against list Relies on authentication: need to know user Capabilities Capability is unforgeable ticket Random bit sequence, or managed by OS Can be passed from one process to another Reference monitor checks ticket Does not need to know identify of user/process
John Mitchell
ACL vs Capabilities
User U
Process P User U Process Q User U Process R Capabilty c,d,e Process P Capabilty c,e Process Q Capabilty c Process R
John Mitchell
ACL vs Capabilities
Delegation Cap: Process can pass capability at run time ACL: Try to get owner to add permission to list? More common: let other process act under current user Revocation ACL: Remove user or group from list Cap: Try to get capability back from process? Possible in some systems if appropriate bookkeeping
OS knows which data is capability If capability is used for multiple resources, have to revoke all or none
John Mitchell
Server 1
marketing
Server 2
human res
Server 3
Operating Systems
John Mitchell
Process has user id User 2 Inherit from creating process User 3 Process can change id Restricted set of options User m Special root id Bypass access control restrictions File has access control list (ACL) Grants permission to user ids Owner, group, other
User 1
read write -
Read
write
write
John Mitchell
Question
Owner can have fewer privileges than other What happens? Owner gets access? Owner does not?
John Mitchell
So previous EUID can be restored Real group ID, effective group ID, used similarly
John Mitchell
Example
RUID 25 ; ; exec( );
Owner 18 SetUID
program Owner 18 -rw-r--r-file Owner 25 -rw-r--r-file
Setuid programming
Be Careful with Setuid 0 ! Root can do anything; don t get tricked Principle of least privilege change EUID when root privileges no longer needed
John Mitchell
Unix summary
Good things Some protection from most users Flexible enough to make things possible Main limitation Too tempting to use root privileges No way to assume some root privileges without all root privileges
John Mitchell
Some additional concepts Tokens Security attributes Generally More flexible than Unix Can define new permissions Can give some but not all administrator privileges
John Mitchell
John Mitchell
SID of the object's owner SID of the primary group of the object Two attached optional lists: Discretionary Access Control List (DACL) users, groups, System Access Control List (SACL) system logs, ..
John Mitchell
User: Mark Group1: Administrators Group2: Writers Revision Number Control flags Owner SID Group SID DACL Pointer SACL Pointer Deny Writers Read, Write Allow Mark Read, Write
Access request: write Action: denied User Mark requests write permission Descriptor denies permission to group Reference Monitor denies request
(DACL for access, SACL for audit and logging)
Security descriptor
Web browser
Subject: web content (JavaScript)
Has Origin Mandatory access control
Objects
File Network
Objects
Document object model Frames Cookies / localStorage
Vulnerabilities
Untrusted programs Buffer overflow
Vulnerabilities
Cross-site scripting Implementation bugs
The web browser enforces its own internal policy. If the browser implementation is corrupted, this mechanism becomes unreliable.
John Mitchell
Chromium
Communicating sandboxed components
See: http://dev.chromium.org/developers/design-documents/sandbox/
John Mitchell
Design Decisions
Compatibility Sites rely on the existing browser security policy Browser is only as useful as the sites it can render Rules out more clean slate approaches Black Box Only renderer may parse HTML, JavaScript, etc. Kernel enforces coarse-grained security policy Renderer to enforces finer-grained policy decisions Minimize User Decisions
John Mitchell
Task Allocation
John Mitchell
Leverage OS Isolation
Sandbox based on four OS mechanisms
A restricted token The Windows job object The Windows desktop object Windows Vista only: integrity levels
John Mitchell
Summary
Security principles Isolation Principle of Least Privilege Qmail example Access Control Concepts Matrix, ACL, Capabilities OS Mechanisms Unix File system, Setuid Windows File system, Tokens, EFS Browser security architecture Isolation and least privilege example
John Mitchell